UK’s Information Commissioner’s Office said that Marriott had “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems” in its investigation of the breach. The ICO’s intention to fine Marriott is based on “infringements of the General Data Protection Regulation.”

The incident occurred in 2014 when hotel company Starwood’s database was breached. Marriott bought Starwood in 2016 and inherited the breach that went undetected until November 2018. For around 367 million of those affected, Marriott said, the information taken includes some combination of their name, mailing address, phone number, email address, passport number, date of birth, gender, and other information from their Starwood account.

“We are disappointed with this notice of intent from the ICO, which we will contest,” Marriott International’s president and CEO, Arne Sorenson, said in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott.”